The present application relates generally to communication networks, and, more particularly, to methods, systems, and computer program products for protecting against Internet Protocol (IP) prefix attacks.
The inter-domain routing infrastructure of the global Internal consists of tens of thousands of independently administrated networks known as Autonomous Systems (ASes) and a collection of special routers that situate at borders of these ASes and execute the Border Gateway Protocol (BGP) to manage AS level routing.
BGP routers exchange and propagate route information amongst themselves through special route announcement messages. In BGP, in its simplest form, an AS level route on a BGP router can be represented as a quintuple listing the destination IP address block (which is known as “destination IP address prefix” or simply “prefix”) and the “best” known AS level path to reach this prefix from the AS that the BGP router belongs. Traffic destined for an IP address is matched to the route entry with the most specific IP address prefix (longest match) that covers the destination IP address and forwarded to the first AS of the route entry's AS path as the next AS hop.
After a BGP router learns about a new route, it will add a corresponding route entry into its routing table and send its neighboring BGP routers a modified announcement which is created by appending its own AS identifier to the received AS path. If an announcement for a route change is received, a BGP router processes the announcement similarly except that it will only accept and propagate a changed route if the new route is “better” than the current route.
One particular threat that this routing infrastructure faces is so called “prefix hijacking” attacks. It is possible for an ill-intentioned BGP router or BGP router that is not functioning properly to announce a false AS level route towards a prefix. If a BGP router is polluted by this announcement and replaces the legitimate route entry for this prefix with the false route in its routing table, any future IP data traffic destined for any IP address within the victim prefix will be forwarded along this false route, causing such traffic being unrightfully intercepted, manipulated, or dropped—a result often referred to as IP traffic being “hijacked.” Furthermore, this affected router may propagate the false route to its neighboring BGP routers to spread the false information, causing more IP data traffic being hijacked.
One key to a successful hijack attack is to make the false route appear to be “better” than the existing route. Which route is “better” is subject to each BGP router's own interpretation. For example, a path's AS level hop count is a commonly used metric. In general, the less ASes a path contains the better it is. Another commonly used metric is AS relationship. BGP routers often tend to favor forwarding data along the direction that maximizes profit. Thus, AS forwarding behaviors often observe the so called “valley free” property—a link towards a customer AS is more favored than a link towards a peer AS, and is further favored than a link towards a provider AS.
Because a false path generally becomes less and less attractive as it is propagated, e.g., the AS path gets longer as the announcement propagates, at some point routers stop accepting the false route because their existing routes are considered better. Therefore the propagation of a false route is typically limited to a region surrounding the hijacker router, which may be called the affected region. If a source is sending data addressed for the victim prefix and the path from the source towards the victim prefix passes through the affected region, the source risks its data being hijacked.